CN111600865B - Abnormal communication detection method and device, electronic equipment and storage medium - Google Patents

Abnormal communication detection method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN111600865B
CN111600865B CN202010392083.9A CN202010392083A CN111600865B CN 111600865 B CN111600865 B CN 111600865B CN 202010392083 A CN202010392083 A CN 202010392083A CN 111600865 B CN111600865 B CN 111600865B
Authority
CN
China
Prior art keywords
abnormal
address
dns
traffic
types
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010392083.9A
Other languages
Chinese (zh)
Other versions
CN111600865A (en
Inventor
沈伟
范渊
黄进
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202010392083.9A priority Critical patent/CN111600865B/en
Publication of CN111600865A publication Critical patent/CN111600865A/en
Application granted granted Critical
Publication of CN111600865B publication Critical patent/CN111600865B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/028Capturing of monitoring data by filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL

Abstract

The application discloses an abnormal communication detection method, an abnormal communication detection device, an electronic device and a storage medium, wherein the method comprises the following steps: collecting the flow passing through a DNS port; acquiring application layer content of the acquired flow, and judging whether the application layer content meets DNS protocol specifications or not; respectively counting the types and times which do not accord with DNS protocol specifications to obtain abnormal types and abnormal times corresponding to all traffic IP addresses; and if the abnormal type exceeds a first threshold value and the proportion of the abnormal times to the total times exceeds a second preset threshold value, judging that the corresponding traffic IP address uses a DNS port to perform abnormal communication and generating alarm information. Therefore, the method and the device can detect the condition that the DNS port is used but the DNS protocol is not used for communication, and identify the behavior that the DNS port is used for abnormal communication, so that the communication abnormality detection of the DNS port is more comprehensive, and the communication safety is improved.

Description

Abnormal communication detection method and device, electronic equipment and storage medium
Technical Field
The present application relates to the field of computer technologies, and in particular, to an abnormal communication detection method and apparatus, an electronic device, and a computer-readable storage medium.
Background
The DNS is a distributed database which is used for mapping domain names and IP addresses on the world wide web, and can help users to use the Internet more conveniently, general firewalls cannot block DNS flow, most firewalls do not block ports used by DNS protocols when in implementation, therefore, users use the DNS port to carry out abnormal communication so as to bypass the firewall, and some viruses and trojans also use the DNS port to carry out back connection to access commands and control servers.
Therefore, how to solve the above problems is a great concern for those skilled in the art.
Disclosure of Invention
An object of the present application is to provide an abnormal communication detection method, apparatus, electronic device and computer-readable storage medium, which can detect a case where communication is performed using a DNS port but not using a DNS protocol.
In order to achieve the above object, the present application provides an abnormal communication detection method, including:
collecting the flow passing through a DNS port;
acquiring application layer content of the acquired flow, and judging whether the application layer content meets DNS protocol specifications or not;
respectively counting the types and times which do not accord with DNS protocol specifications to obtain abnormal types and abnormal times corresponding to all traffic IP addresses;
and if the abnormal type exceeds a first threshold value and the proportion of the abnormal times to the total times exceeds a second preset threshold value, judging that the corresponding flow IP address uses a DNS port for abnormal communication and generating alarm information.
Optionally, the respectively counting the types and the times that do not meet the DNS protocol specification to obtain the abnormal types and the abnormal times corresponding to each traffic IP address includes:
acquiring the transmission layer content of the acquired traffic to obtain a source IP address and a destination IP address corresponding to each traffic;
and taking the source IP address and the destination IP address as address pairs, and respectively counting the abnormal types and abnormal times of each address pair which do not accord with the DNS protocol specification.
Optionally, the method further includes:
and storing the traffic data which does not conform to the DNS protocol specification into a storage area so as to carry out backtracking analysis.
Optionally, the determining whether the content of the application layer conforms to a DNS protocol specification includes:
and judging whether the request type is within a range of effective request types, and/or judging whether the data offset length is less than the total length of the data, and/or judging whether the response type is within a range of effective response types, and/or judging whether the response type is the same as the actual response content, and/or judging whether the domain name conforms to the basic characteristics of the domain name.
Optionally, the determining that the corresponding traffic IP address uses a DNS port to perform abnormal communication, and after generating the alarm information, the method further includes:
and determining a corresponding target process according to the flow IP address, and closing the target process.
Optionally, the alarm information includes: any one item or combination of any several items of flow IP address, abnormal type, abnormal times, proportion of the abnormal times to the total times and flow data corresponding to the abnormality.
In order to achieve the above object, the present application provides an abnormal communication detecting apparatus, including:
the flow acquisition module is used for acquiring the flow flowing through the DNS port;
the protocol judgment module is used for acquiring the application layer content of the acquired flow and judging whether the application layer content meets the DNS protocol specification;
the abnormal counting module is used for respectively counting the types and times which do not accord with the DNS protocol standard to obtain the abnormal types and abnormal times corresponding to the IP addresses of the traffic;
and the abnormal alarm module is used for judging that the corresponding traffic IP address uses a DNS port to carry out abnormal communication and generating alarm information if the abnormal type exceeds a first threshold and the proportion of the abnormal times to the total times exceeds a second preset threshold.
Optionally, the anomaly statistics module includes:
the determining unit is used for acquiring the transmission layer content of the acquired traffic to obtain a source IP address and a destination IP address corresponding to each traffic;
and the counting unit is used for taking the source IP address and the destination IP address as address pairs and respectively counting the abnormal types and abnormal times of the address pairs which do not accord with the DNS protocol specification.
To achieve the above object, the present application provides an electronic device including:
a memory for storing a computer program;
a processor for implementing the steps of any of the aforementioned disclosed abnormal communication detection methods when executing the computer program.
To achieve the above object, the present application provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the steps of any one of the abnormal communication detecting methods disclosed in the foregoing disclosure.
According to the scheme, the abnormal communication detection method provided by the application comprises the following steps: collecting the flow passing through a DNS port; acquiring application layer content of the acquired flow, and judging whether the application layer content meets DNS protocol specifications or not; respectively counting the types and times which do not accord with DNS protocol specifications to obtain abnormal types and abnormal times corresponding to all traffic IP addresses; and if the abnormal type exceeds a first threshold value and the proportion of the abnormal times to the total times exceeds a second preset threshold value, judging that the corresponding traffic IP address uses a DNS port to perform abnormal communication and generating alarm information. According to the method, after the traffic of the DNS port is collected, whether the traffic uses the DNS protocol or not is identified by analyzing the traffic, if the traffic does not accord with the DNS protocol specification, the abnormal type and the abnormal times of the IP address of the traffic are counted, and the alarm information of abnormal communication is generated after the abnormal type and the abnormal times meet the alarm condition.
The application also discloses an abnormal communication detection device, an electronic device and a computer readable storage medium, which can also realize the technical effects.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of an abnormal communication detection method disclosed in an embodiment of the present application;
fig. 2 is a flowchart of an embodiment of an abnormal communication detection method disclosed in the embodiment of the present application;
fig. 3 is a structural diagram of an abnormal communication detection apparatus disclosed in an embodiment of the present application;
fig. 4 is a block diagram of an electronic device disclosed in an embodiment of the present application;
fig. 5 is a block diagram of another electronic device disclosed in the embodiments of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In the conventional technology, a general firewall does not block DNS traffic, and most firewalls do not block a port used by a DNS protocol when implemented, so that a user uses the DNS port to perform abnormal communication to bypass the firewall, and some viruses and trojans also use the DNS port to perform a loopback access command and a control server.
Therefore, the embodiment of the present application discloses an abnormal communication detection method, which can detect a situation that a DNS port is used but a DNS protocol is not used for communication.
Referring to fig. 1, an abnormal communication detection method disclosed in the embodiment of the present application includes:
s101: collecting the flow passing through a DNS port;
in the embodiment of the application, the flow passing through the DNS port is collected. Specifically, the DPDK may be used to collect traffic flowing through a common DNS port of the network card.
S102: acquiring application layer content of the acquired flow, and judging whether the application layer content meets DNS protocol specifications or not;
in this step, the collected traffic may be analyzed to obtain the content of the application layer, and whether the content of the application layer meets the DNS protocol specification, that is, whether the traffic adopts the DNS protocol is determined.
As a possible implementation manner, the above process of determining whether the application layer content conforms to the DNS protocol specification may specifically include: and judging whether the request type is within a range of effective request types, and/or judging whether the data offset length is less than the total length of the data, and/or judging whether the response type is within a range of effective response types, and/or judging whether the response type is the same as the actual response content, and/or judging whether the domain name conforms to the basic characteristics of the domain name.
S103: respectively counting the types and times which do not accord with DNS protocol specifications to obtain abnormal types and abnormal times corresponding to all traffic IP addresses;
in specific implementation, the collected traffic may be analyzed to obtain the content of the transport layer, so as to determine the source IP address and the destination IP address corresponding to each traffic. Furthermore, the source IP address and the destination IP address can be used as address pairs, the IP address pairs are used as dimensionalities, and the abnormal types and abnormal times of each IP address pair which are not in accordance with the DNS protocol specification are counted.
It can be understood that, after detecting that the traffic application layer does not comply with the DNS protocol specification, the embodiment of the present application may further store the traffic data that does not comply with the DNS protocol specification in the storage area, so as to perform backtracking analysis.
S104: and if the abnormal type exceeds a first threshold value and the proportion of the abnormal times to the total times exceeds a second preset threshold value, judging that the corresponding traffic IP address uses a DNS port to perform abnormal communication and generating alarm information.
As a feasible implementation manner, when any IP address exceeds a first threshold for an abnormal type and the ratio of the abnormal times to the total times exceeds a second preset threshold, it is determined that the corresponding traffic IP address uses the DNS port to perform abnormal communication, and at this time, corresponding warning information may be generated and pushed to the corresponding management terminal to implement abnormal reporting.
It should be noted that the protocol exception caused by the program exception is often single and does not cover multiple exceptions of different types, the protocol exception caused by the network exception still has a large proportion of normal data, while the data which is not the DNS protocol itself often has multiple exceptions of different types, and the data which exactly conforms to the DNS protocol specification is very little, so that by counting the types of exceptions and the proportion of exceptions (i.e. the normal proportion can be deduced), the protocol exception caused by the program exception, the network exception and other reasons can be avoided, the false alarm rate of the exception is reduced, and the detection accuracy is improved.
The first preset threshold and the second preset threshold can be set according to specific conditions in the actual implementation process, and the first preset threshold and the second preset threshold are not limited in the application.
It should be noted that the above-mentioned alarm information may include, but is not limited to: the traffic IP address, the abnormal type, the abnormal times, the proportion of the abnormal times to the total times and the traffic data corresponding to the abnormality, wherein the traffic IP address can comprise a source IP address and a destination IP address.
Further, after it is determined that the traffic IP address uses the DNS port to perform abnormal communication, the embodiment of the present application may further determine a corresponding target process according to the traffic IP address, and perform a closing operation on the target process, so as to process the abnormal communication in time.
According to the scheme, the abnormal communication detection method provided by the application comprises the following steps: collecting the flow passing through a DNS port; acquiring application layer content of the acquired flow, and judging whether the application layer content meets DNS protocol specifications or not; respectively counting the types and times which do not accord with DNS protocol standards to obtain abnormal types and abnormal times corresponding to all the flow IP addresses; and if the abnormal type exceeds a first threshold value and the proportion of the abnormal times to the total times exceeds a second preset threshold value, judging that the corresponding traffic IP address uses a DNS port to perform abnormal communication and generating alarm information. According to the method, after the flow of the DNS port is collected, whether the flow uses the DNS protocol or not is identified by analyzing the flow, if the flow does not accord with the DNS protocol specification, the abnormal type and the abnormal times of the IP address of the flow are counted, and the alarm information of abnormal communication is generated after the abnormal type and the abnormal times meet the alarm condition.
The abnormal communication detection method provided by the embodiment of the present application is described and introduced in detail below by a specific implementation. Referring to fig. 2, specifically:
step 1: collecting common DNS port traffic:
and collecting the flow passing through the common DNS port of the network card by using the DPDK.
Step 2: analyzing a transport layer protocol of the collected flow:
and analyzing the transmission layer content of the acquired flow according to a UDP protocol format to obtain a source IP for initiating the request and a target IP for responding.
And step 3: determine whether the DNS protocol is used:
analyzing the application layer content of the captured flow according to the DNS protocol format, and judging whether the application layer content conforms to the DNS protocol specification.
The above process for determining whether the DNS protocol specification is met may include: judging whether the request type is in an effective type range; whether the offset length during analysis is lower than the total data length or not; whether the response type is within a valid type range; whether the response type is the same as the actual type of the response content; for example, the type returned is IPv4 type, but the actual content is not IPv4 type; whether the analyzed domain name meets the basic characteristics of the domain name or not and the like.
Specifically, the valid type range may specifically include, but is not limited to, types defined in protocol standards such as a type, CNAME type, MX type, NS type, TXT type, AAAA type, and the like.
When judging whether the analyzed domain name conforms to the basic characteristics of the domain name, specifically judging whether an English point () exists in the domain name, and if the domain name does not have the English character point, determining that the domain name does not conform to the basic characteristics of the domain name; or judging whether the domain name has invisible characters, and if the domain name has invisible characters, determining that the domain name does not accord with the basic characteristics of the domain name.
And 4, step 4: and (3) taking the IP address pair as a dimension to count:
and (4) based on the judgment result of the step (3), counting by taking an IP address pair consisting of the source IP address and the destination IP address as a dimension, and respectively counting the times of the IP address pair meeting the DNS protocol specification. For traffic data that does not conform to the DNS protocol specification, the traffic data may be saved as a packet for subsequent backtracking analysis. For each IP address pair, a maximum of Y1 packets are held per type that does not comply with the protocol specification. In particular implementations, Y1 may be specifically set to 100.
And 5: identifying whether abnormal communication is carried out by using a DNS port:
and carrying out exception statistics on each IP address pair at regular time intervals. And if the abnormal type of an IP address pair exceeds the threshold Y2 and the proportion of the times meeting the DNS protocol specification to the total times of communication is less than the threshold Y3, determining that the IP address pair carries out abnormal communication by using the DNS port. After all IP address pair identifications are complete, the historical statistics may be cleaned up and statistics may be restarted. In the embodiment of the present application, the time period may be specifically set to 30 minutes, the threshold Y2 is set to 3, and the threshold Y3 is set to 50%.
Step 6: generating alarm information:
after determining that the IP address pair performs abnormal communication using the DNS port, corresponding warning information may be generated, where the warning information may include, but is not limited to, a source IP address of the originating request, a destination IP address, a category that does not meet DNS protocol specifications, the number of abnormal times corresponding to each category, the percentage of abnormal times, and a stored abnormal traffic data packet.
And 7: analysis and investigation:
and the alarm information is pushed to a corresponding management terminal, and after the manager sees the alarm information, whether the alarm is misinformed and whether serious harm is caused can be judged according to the alarm content and the stored data packet. And if the judgment result is that the false alarm is not generated, positioning to specific equipment according to the source IP address, further positioning to a specific process according to the connection condition of the IP address pair, stopping the process and removing the malicious software.
Furthermore, a threat information base can be inquired according to the destination IP address, whether the IP address belongs to a hacker organization or not is obtained, and the like, so that hidden dangers are further eliminated.
According to the embodiment of the application, the behavior of abnormal communication by using the DNS port can be detected, the source IP address and the destination IP address of communication by using the DNS port can be found out, and a manager can find out corresponding equipment and clear out corresponding malicious software according to the source IP address, so that abnormal troubleshooting is realized, and the communication safety is improved.
In the following, an abnormal communication detection apparatus provided by an embodiment of the present application is introduced, and an abnormal communication detection apparatus described below and an abnormal communication detection method described above may be referred to each other.
Referring to fig. 3, an abnormal communication detection apparatus according to an embodiment of the present application includes:
a traffic collection module 201, configured to collect traffic flowing through a DNS port;
the protocol judgment module 202 is configured to obtain application layer content of the acquired traffic, and judge whether the application layer content meets DNS protocol specifications;
the anomaly counting module 203 is used for respectively counting the types and times which do not conform to the DNS protocol standard to obtain the anomaly types and anomaly times corresponding to all the flow IP addresses;
and the abnormal warning module 204 is configured to determine that the corresponding traffic IP address performs abnormal communication using the DNS port and generate warning information if the abnormal type exceeds a first threshold and a ratio of the abnormal number to the total number exceeds a second preset threshold.
For the specific implementation process of the modules 201 to 204, reference may be made to the corresponding content disclosed in the foregoing embodiments, and details are not repeated here.
On the basis of the foregoing embodiment, as a preferred implementation manner, the anomaly statistics module provided in the embodiment of the present application may specifically include:
the determining unit is used for acquiring the transmission layer content of the acquired traffic to obtain a source IP address and a destination IP address corresponding to each traffic;
and the counting unit is used for taking the source IP address and the destination IP address as address pairs and respectively counting the abnormal types and abnormal times of the address pairs which do not accord with the DNS protocol specification.
The present application further provides an electronic device, referring to fig. 5, a structure diagram of an electronic device provided in an embodiment of the present application is shown in fig. 4, and includes:
a memory 100 for storing a computer program;
the processor 200, when executing the computer program, may implement the steps provided by any of the foregoing embodiments.
Specifically, the memory 100 includes a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and computer-readable instructions, and the internal memory provides an environment for the operating system and the computer-readable instructions in the non-volatile storage medium to run. The processor 200 may be a Central Processing Unit (CPU), a controller, a microcontroller, a microprocessor or other data Processing chip in some embodiments, and provides computing and controlling capability for the electronic device, and when executing the computer program stored in the memory 100, the abnormal communication detection method provided in any of the foregoing embodiments may be implemented.
On the basis of the above embodiment, as a preferred implementation, referring to fig. 5, the electronic device further includes:
and an input interface 300 connected to the processor 200, for acquiring computer programs, parameters and instructions imported from the outside, and storing the computer programs, parameters and instructions into the memory 100 under the control of the processor 200. The input interface 300 may be connected to an input device for receiving parameters or instructions manually input by a user. The input device may be a touch layer covered on a display screen, or a button, a track ball or a touch pad arranged on a terminal shell, or a keyboard, a touch pad or a mouse, etc.
And a display unit 400 connected to the processor 200 for displaying data processed by the processor 200 and for displaying a visualized user interface. The display unit 400 may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch panel, or the like.
And a network port 500 connected to the processor 200 for performing communication connection with each external terminal device. The communication technology adopted by the communication connection can be a wired communication technology or a wireless communication technology, such as a mobile high definition link (MHL) technology, a Universal Serial Bus (USB), a High Definition Multimedia Interface (HDMI), a wireless fidelity (WiFi), a bluetooth communication technology, a low power consumption bluetooth communication technology, an ieee802.11 s-based communication technology, and the like.
While FIG. 5 shows only an electronic device having the assembly 100 and 500, those skilled in the art will appreciate that the configuration shown in FIG. 5 does not constitute a limitation of the electronic device, and may include fewer or more components than shown, or some components may be combined, or a different arrangement of components.
The present application also provides a computer-readable storage medium, which may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk. The storage medium stores thereon a computer program which, when executed by a processor, implements the abnormal communication detection method provided by any of the foregoing embodiments.
After the traffic of the DNS port is collected, the traffic is analyzed, whether the traffic uses the DNS protocol or not is identified, if the traffic does not accord with the DNS protocol specification, the abnormal type and the abnormal times of the IP address of the traffic are counted, and the alarm information of abnormal communication is generated after the abnormal type and the abnormal times meet the alarm condition.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system disclosed by the embodiment, the description is relatively simple because the system corresponds to the method disclosed by the embodiment, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims (10)

1. An abnormal communication detection method, comprising:
collecting the flow passing through a DNS port;
acquiring application layer content of the acquired flow, and judging whether the application layer content meets DNS protocol specifications or not;
respectively counting the types and times which do not accord with DNS protocol specifications to obtain abnormal types and abnormal times corresponding to all traffic IP addresses;
and if the abnormal type exceeds a first threshold value and the proportion of the abnormal times to the total times exceeds a second preset threshold value, judging that the corresponding traffic IP address uses a DNS port to perform abnormal communication and generating alarm information.
2. The abnormal communication detection method according to claim 1, wherein the counting the types and the number of times that do not conform to the DNS protocol specification respectively to obtain the abnormal type and the abnormal number of times corresponding to each traffic IP address includes:
acquiring the transmission layer content of the acquired traffic to obtain a source IP address and a destination IP address corresponding to each traffic;
and taking the source IP address and the destination IP address as address pairs, and respectively counting the abnormal types and abnormal times of each address pair which do not accord with the DNS protocol specification.
3. The abnormal communication detection method according to claim 2, further comprising:
and storing the traffic data which does not conform to the DNS protocol specification into a storage area so as to carry out backtracking analysis.
4. The abnormal communication detection method according to claim 1, wherein the determining whether the application layer content conforms to DNS protocol specification comprises:
judging whether the request type is in an effective request type range, judging whether the data offset length is less than the total data length, judging whether the response type is in an effective response type range, judging whether the response type is the same as the actual response content, or judging whether the domain name conforms to the basic characteristics of the domain name.
5. The abnormal communication detection method according to any one of claims 1 to 4, wherein after determining that the corresponding traffic IP address performs abnormal communication using a DNS port and generating the alarm information, the method further comprises:
and determining a corresponding target process according to the flow IP address, and closing the target process.
6. The abnormal communication detection method according to claim 5, wherein the alarm information includes: any one item or combination of any several items of flow IP address, abnormal type, abnormal times, proportion of the abnormal times to the total times and flow data corresponding to the abnormality.
7. An abnormal communication detection apparatus, comprising:
the flow acquisition module is used for acquiring the flow flowing through the DNS port;
the protocol judgment module is used for acquiring the application layer content of the acquired flow and judging whether the application layer content meets the DNS protocol specification;
the abnormal counting module is used for respectively counting the types and times which do not accord with the DNS protocol standard to obtain the abnormal types and abnormal times corresponding to the IP addresses of the traffic;
and the abnormal alarm module is used for judging that the corresponding traffic IP address uses a DNS port to carry out abnormal communication and generating alarm information if the abnormal type exceeds a first threshold and the proportion of the abnormal times to the total times exceeds a second preset threshold.
8. The abnormal communication detection apparatus according to claim 7, wherein the abnormal statistic module comprises:
the determining unit is used for acquiring the transmission layer content of the acquired traffic to obtain a source IP address and a destination IP address corresponding to each traffic;
and the counting unit is used for taking the source IP address and the destination IP address as address pairs and respectively counting the abnormal types and abnormal times of the address pairs which do not accord with the DNS protocol specification.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the abnormal communication detection method of any one of claims 1 to 4 when executing the computer program.
10. A computer-readable storage medium, having stored thereon a computer program which, when being executed by a processor, carries out the steps of the abnormal communication detecting method according to any one of claims 1 to 4.
CN202010392083.9A 2020-05-11 2020-05-11 Abnormal communication detection method and device, electronic equipment and storage medium Active CN111600865B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010392083.9A CN111600865B (en) 2020-05-11 2020-05-11 Abnormal communication detection method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010392083.9A CN111600865B (en) 2020-05-11 2020-05-11 Abnormal communication detection method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN111600865A CN111600865A (en) 2020-08-28
CN111600865B true CN111600865B (en) 2022-06-07

Family

ID=72191084

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010392083.9A Active CN111600865B (en) 2020-05-11 2020-05-11 Abnormal communication detection method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN111600865B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022104738A1 (en) * 2020-11-20 2022-05-27 华为技术有限公司 Trojan detection method and apparatus, and device
CN112543199B (en) * 2020-12-07 2022-12-23 北京明略昭辉科技有限公司 IP abnormal flow detection method, system, computer equipment and storage medium
CN112882905A (en) * 2021-03-22 2021-06-01 四川英得赛克科技有限公司 Method, system and electronic equipment for judging whether network communication behavior is abnormal or not
CN113206761B (en) * 2021-04-30 2022-11-22 深信服科技股份有限公司 Application connection detection method and device, electronic equipment and storage medium
CN114338109B (en) * 2021-12-17 2023-07-14 北京安天网络安全技术有限公司 Flow detection method and device, electronic equipment and computer readable storage medium
CN115134306A (en) * 2022-09-01 2022-09-30 杭州安恒信息技术股份有限公司 Data traffic detection method, device, equipment and medium for terminal of Internet of things
CN116405274B (en) * 2023-03-27 2024-02-27 中国华能集团有限公司北京招标分公司 Abnormal flow detection and analysis method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010037261A1 (en) * 2008-09-26 2010-04-08 中联绿盟信息技术(北京)有限公司 Equipment and method for network abnormal traffic analysis
CN107454109A (en) * 2017-09-22 2017-12-08 杭州安恒信息技术有限公司 A kind of network based on HTTP flow analyses is stolen secret information behavioral value method
CN109120733A (en) * 2018-07-20 2019-01-01 杭州安恒信息技术股份有限公司 A kind of detection method communicated using DNS
CN111131126A (en) * 2018-10-30 2020-05-08 中国电信股份有限公司 Attack detection method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010037261A1 (en) * 2008-09-26 2010-04-08 中联绿盟信息技术(北京)有限公司 Equipment and method for network abnormal traffic analysis
CN107454109A (en) * 2017-09-22 2017-12-08 杭州安恒信息技术有限公司 A kind of network based on HTTP flow analyses is stolen secret information behavioral value method
CN109120733A (en) * 2018-07-20 2019-01-01 杭州安恒信息技术股份有限公司 A kind of detection method communicated using DNS
CN111131126A (en) * 2018-10-30 2020-05-08 中国电信股份有限公司 Attack detection method and device

Also Published As

Publication number Publication date
CN111600865A (en) 2020-08-28

Similar Documents

Publication Publication Date Title
CN111600865B (en) Abnormal communication detection method and device, electronic equipment and storage medium
CN109951500B (en) Network attack detection method and device
US11797671B2 (en) Cyberanalysis workflow acceleration
Jiang et al. Identifying suspicious activities through dns failure graph analysis
CN105099821B (en) Method and device for monitoring flow in virtual environment based on cloud
EP2953298A1 (en) Log analysis device, information processing method and program
US20050108377A1 (en) Method for detecting abnormal traffic at network level using statistical analysis
CN106302450B (en) A kind of detection method and device based on malice address in DDOS attack
EP2854362B1 (en) Software network behavior analysis and identification system
CN105516390B (en) Domain name management method and device
KR20120087393A (en) Method for real-time detecting anomalies using dns packet
CN108270778A (en) A kind of DNS domain name abnormal access detection method and device
EP3242240B1 (en) Malicious communication pattern extraction device, malicious communication pattern extraction system, malicious communication pattern extraction method and malicious communication pattern extraction program
CN111079138A (en) Abnormal access detection method and device, electronic equipment and readable storage medium
CN109862129A (en) DNS Traffic anomaly detection method, apparatus, electronic equipment and storage medium
CN113472798A (en) Network data packet backtracking analysis method, device, equipment and medium
CN115664833B (en) Network hijacking detection method based on local area network safety equipment
KR100772177B1 (en) Method and apparatus for generating intrusion detection event to test security function
CN113726775B (en) Attack detection method, device, equipment and storage medium
US9049170B2 (en) Building filter through utilization of automated generation of regular expression
EP4081923B1 (en) Human activity detection
CN112073258B (en) Method for identifying user, electronic equipment and storage medium
CN109495538B (en) Method and device for detecting number of shared access terminals
CN116471047A (en) Method and device for detecting automated frame crawler and readable storage medium
CN113709193A (en) WEB weak password detection method based on traffic and dynamic page characteristics

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant